To Next Page

To Previous Page

Dynamic ARP Inspection Overview

SecureStack C2 Configuration Guide 17-17

• Loopbackaddresses(intherange127.0.0.0/8)

Logging Invalid Packets

Bydefault,DAIwritesalogmessagetothenormalbufferedlogforeachinvalidARPpacketit

drops.YoucanconfigureDAItonotloginvalidpacketsforspecificVLANs.

Packet Forwarding

DAIforwardsvalidARPpacketswhosedestinationMACaddressisnotlocal.TheingressVLAN

couldbeaswitchingorroutingVLAN.ARPrequestsarefloodedintheVLAN.ARPresponsesare

unicasttowardtheirdestination.DAIqueriestheMACaddresstabletodetermin ethe outgoing

port.IfthedestinationMAC

addressislocal,DAIgivesvalidARPpacketstotheARPapplication.

Rate Limiting

ToprotecttheswitchfromDHCPattackswhenDAIisenabled,theDAIapplicationenforcesarate

limitforARPpacketsreceivedonuntrustedinterfaces.DAImonitorsthereceiverateoneach

interfaceseparately.Ifthereceiverateexceedsaconfigurablelimit,DAIerrordisablesthe

interface,whicheffectivelybringsdown

theinterface.Youcanusethesetportenablecommand

toreenabletheport.

Youcanconfigureboththerateandtheburstinterval.Thedefaultrateis15ppsoneachuntrusted

interfacewitharangeof0to100pps.Thedefaultburstintervalis1secondwith

arangeto1to15

seconds..TheratelimitcannotbesetontrustedinterfacessinceARPpacketsreceivedontrusted

interfacesdonotcometotheCPU.

Eligible Interfaces

DynamicARPinspectionisenabledperVLAN,effectivelyenablingDAIonthemembersofthe

VLAN,eitherphysicalportsorLAGs.TrustisspecifiedontheVLANmembers.

DAIcannotbeenabledonport‐basedroutinginterfaces.Itmaybeconnectedto:

•Asinglehostthroughatrustedlink(forexample,

aserver)

•Ifmultiplehostsneedtoconnected,theremustbeaswitchbetweentherouterandthehosts, 

withDAIenabledonthatswitch

Interaction with Other Functions

•DAIreliesontheDHCPsnoopingapplicationtoverifythata{IPaddress,MACaddress,

VLAN,interface}tupleisvalid.

•DAIregisterswithdot1qtoreceivenotificationofVLANmembershipchangesfortheVLANs

whereDAIisenabled.

•DAItellsthedriverabouteachuntrustedinterface(physicalportorLAG)where

DAIis

enabledsothatthehardwarewillint erceptARPpacketsand sendthemtotheCPU.

Enterasys SecureStack C2 C2G170-24 User Manual

Other manuals for Enterasys SecureStack C2 C2G170-24